summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/spnego.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r2307: Fix the use of 'raw' NTLMSSP to hosts that support extended security,Andrew Bartlett1-2/+3
but do not support SPNEGO (such as XP, when not joined to a domain). This is triggered by the presense or lack of a security blob in the negprot reply. Andrew Bartlett (This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
2007-10-10r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.Andrew Bartlett1-16/+46
This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
2007-10-10r2119: Noticed by jra:Andrew Bartlett1-6/+0
Clean up use of unitilaised variable. Andrew Bartlett (This used to be commit e8d0246882f0d70dc3c63208d0a990804f36a05d)
2007-10-10r1752: Fix compile bugs on C (rather than C++) tolerant compilers.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 0949b72645024a6810f447fe8acb643f98588ab3)
2007-10-10r1731: Add server-side SPNEGO support to Samba (disabled, until SMB signingAndrew Bartlett1-103/+207
is reworked). Andrew Bartlett (This used to be commit 73ee549b8c54e93556ff0105941996e0d4de8303)
2007-10-10r1605: GENSEC krb5 updates - fix a valgrind found uninitialised variable, andAndrew Bartlett1-12/+20
allow tests for 'unwrapped' krb5, allowed by Win2k3. SPENGO changes, trying to get the logic right (when and what sub-mechanisms to wrap). Andrew Bartlett (This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
2007-10-10r1521: Updates to our SMB signing code.Andrew Bartlett1-20/+23
- This causes our client and server code to use the same core code, with the same debugs etc. - In turn, this will allow the 'mandetory/fallback' signing algorithms to be shared, and only written once. Updates to the SPNEGO code - Don't wrap an empty token to the server, if we are actually already finished. Andrew Bartlett (This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
2007-10-10r1475: More kerberos workAndrew Bartlett1-1/+2
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2007-10-10r1462: GENSEC Kerberos and SPENGO work:Andrew Bartlett1-60/+62
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
2007-10-10r1449: Use the config system somewhat better in libcli/authJelmer Vernooij1-1/+1
(This used to be commit 69de0d95c585c1a73072e921884cbd427c160176)
2007-10-10r1421: fix a uninitialized var (thanks valgrind:-)Stefan Metzmacher1-5/+15
add a view debug messages metze (This used to be commit 79953dccc1f21dbabddff73a4b6d862eace29eb9)
2007-10-10r1372: Remove the 'default' case from the SPENGO state machine, and fix upAndrew Bartlett1-6/+6
some compiler warnings that allowed us to see. Andrew Bartlett (This used to be commit 1a6c2018dd49519e6fccdd5a7f35d70b67d45275)
2007-10-10r1367: SPNEGO know uses gensec_subcontext_start() in all placesStefan Metzmacher1-1/+2
metze (This used to be commit f7379324025c599cd201ce6d0905f0ca2c24ce73)
2007-10-10r1366: handle the case where the client need to send the negTokenInit beforeStefan Metzmacher1-1/+88
getting something from the server. (this is needed by SPNEGO in dcerpc) metze (This used to be commit ec978555f0bd612b80dfa49ccc880a3858285879)
2007-10-10r1365: in SPNEGO_SERVER_TARG we should not check the spnego_negResultStefan Metzmacher1-9/+0
because the client don't send this metze (This used to be commit b1217a4ef6592082bb02fd0596a0563bacdf1d8e)
2007-10-10r1364: the SPNEGO_SERVER_TARG state is different from the SPNEGO_CLIENT_TARGStefan Metzmacher1-4/+72
the client checks but not send spnego_negResult metze (This used to be commit 49e4d375e9504f595aaa64ac62ddb421f082c424)
2007-10-10r1360: - remove unused state SPNEGO_CLIENT_SEND_MECHSStefan Metzmacher1-5/+0
- remove unsed gensec_user forward, it's done by the gensec layer know metze (This used to be commit e19e5a91f2fd988546f42473bf241dff3c2fe198)
2007-10-10r1358: Re-indent the SPENGO implementation, and work on the basis of aAndrew Bartlett1-146/+201
switch, rather than a series of if statements. Also start to use the GENSEC subcontexts, and add some comments explaining some of the 'odd' logic in parts. I'll probably break these out into subfunctions soon. Thanks to metze for getting me to do this :-) Andrew Bartlett (This used to be commit 73e03596d3b2ad5927e8154d0fbfbdae9ec3f717)
2007-10-10r1350: - init nt_status- found by valgrindStefan Metzmacher1-1/+2
- set auth_type = DCERPC_AUTH_TYPE_SPNEGO metze (This used to be commit 7354521f3cfaa2ead8fac38a68b7704d43731f72)
2007-10-10r1347: - remove typedefStefan Metzmacher1-4/+13
- pass down gensec_user to the sub context - if segfault when mechType is NULL metze (This used to be commit 3f84263c27add3bf01eea88618f707da925bed5c)
2007-10-10r1346: revert my last spnego changesStefan Metzmacher1-124/+114
metze (This used to be commit 7b8237bfb3c302a448a7db0236c0a953603dcd89)
2007-10-10r1344: add gensec_start_mech_by_name()Stefan Metzmacher1-114/+124
some gensec spnego fixes (NULL pointer and length checks) metze (This used to be commit 41ff6d0cd47f6295fe7fe1d31fec7306416ce199)
2007-10-10r1294: A nice, large, commit...Andrew Bartlett1-60/+115
This implements gensec for Samba's server side, and brings gensec up to the standards of a full subsystem. This means that use of the subsystem is by gensec_* functions, not function pointers in structures (this is internal). This causes changes in all the existing gensec users. Our RPC server no longer contains it's own generalised security scheme, and now calls gensec directly. Gensec has also taken over the role of auth/auth_ntlmssp.c An important part of gensec, is the output of the 'session_info' struct. This is now reference counted, so that we can correctly free it when a pipe is closed, no matter if it was inherited, or created by per-pipe authentication. The schannel code is reworked, to be in the same file for client and server. ntlm_auth is reworked to use gensec. The major problem with this code is the way it relies on subsystem auto-initialisation. The primary reason for this commit now.is to allow these problems to be looked at, and fixed. There are problems with the new code: - I've tested it with smbtorture, but currently don't have VMware and valgrind working (this I'll fix soon). - The SPNEGO code is client-only at this point. - We still do not do kerberos. Andrew Bartlett (This used to be commit 07fd885fd488fd1051eacc905a2d4962f8a018ec)
2007-10-10r1229: the name of the protocol should be in first place of a function nameStefan Metzmacher1-7/+7
rename <read|write|free>_spnego_data() into spnego_<read|write|free>_data metze (This used to be commit 3f57c8f596eb6ad31a024acaf60fefcfd28d8387)
2007-10-10r1200: Add 'gensec', our generic security layer.Andrew Bartlett1-272/+250
This layer is used for DCERPC security, as well as ntlm_auth at this time. It expect things like SASL and the CIFS layer to use it as well. The particular purpose of this layer is to introduce SPENGO, which needs generic access to the actual implementation mechanisms. Schannel, due to it's 'interesting' setup properties is in GENSEC, but is only in the RPC code. Andrew Bartlett (This used to be commit 902af49006fb8cfecaadd3cc0c10e2e542083fb1)
2007-10-10r1198: Merge the Samba 3.0 ntlm_auth, including the kerberos and SPENGO parts.Andrew Bartlett1-0/+343
I have moved the SPNEGO and Kerberos code into libcli/auth, and intend to refactor them into the same format as NTLMSSP. Andrew Bartlett (This used to be commit 58da78a7460d5d0a4abee7d7b84799c228e6bc0b)